Fast address translation for virtual machines

ABSTRACT

A host machine uses a range-based address translation system rather than a conventional page-based system. This enables address translation to be performed with improved efficiency, particularly when nest virtual machines are used. A data processing system utilizes range-based address translation to provide fast address translation for virtual machines that use virtual address space.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

This invention was made with Government support under the Fast Forward 2 contract awarded by the U.S. DOE. The Government has certain rights in this invention.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to the following co-pending Patent Applications: U.S. patent application Ser. No. 15/649,930 entitled “METHOD AND APPARATUS FOR TWO-LAYER COPY-ON-WRITE”, filed Jul. 14, 2017, U.S. patent application Ser. No. 15/649,976 entitled “METHOD AND APPARATUS FOR FAST CONTEXT CLONING IN A DATA PROCESSING SYSTEM”, filed Jul. 14, 2017, U.S. patent application Ser. No. 15/650,008 entitled “MEMORY NODE CONTROLLER”, filed Jul. 14, 2017, PROCESSING SYSTEM”, filed Jul. 14, 2017, U.S. patent application Ser. No. 15/650,008 entitled “MEMORY NODE CONTROLLER”, filed Jul. 14, 2017, U.S. patent application Ser. No. 15/819,328 entitled “MEMORY SYSTEM FOR A DATA PROCESSING NETWORK”, filed on the same date as this application, and U.S. patent application Ser. No. 15/819,378 entitled “RANGE-BASED MEMORY SYSTEM”, filed on the same date as this application, which are hereby incorporated by reference herein in their entirety.

BACKGROUND

A virtual machine is an emulation of a computer. The emulation may be implemented in hardware, software or a combination of hardware and software. A virtual machine may provide functionality to execute an operating system. A hypervisor enables multiple computing environments to share the same physical machine.

Virtual machines may be nested. That is, one virtual machine may be executed within another virtual machine. This may be done for security and/or ease of deployment.

A virtual machine uses a virtual address space. At some point, addresses in a virtual address space need to be translated into physical memory addresses. Conventionally, this address translation is performed using pages tables. One consequence of nested virtual machines is that each page translation must go through multiple page tables within each virtual machine layer, greatly increasing translation cost. This multi-layer translation process reduces the performance. Thus, there is a need for a faster address translation mechanism.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 schematically illustrates a data processing apparatus;

FIGS. 2a and 2b schematically illustrate respective instances of translation data;

FIG. 3 schematically illustrates the storage of multiple instances of translation data;

FIG. 4 schematically illustrates memory address translation apparatus;

FIG. 5 is a schematic flowchart illustrating an initialization process;

FIGS. 6 and 7 are schematic flowcharts illustrating methods of memory access;

FIG. 8 is a schematic flowchart illustrating a memory address translation method;

FIG. 9 is a schematic flowchart illustrating a memory address translation method;

FIG. 10 is a diagrammatic representation of memory allocation in a data processing system, consistent with embodiments of the disclosure;

FIG. 11 is a further diagrammatic representation of memory allocation in a data processing system, consistent with embodiments of the disclosure; and

FIG. 12 is a flow chart of a method of memory access, in accordance with embodiments of the disclosure

DETAILED DESCRIPTION OF THE EMBODIMENTS

While this invention is susceptible of embodiment in many different forms, there is shown in the drawings and will herein be described in detail specific embodiments, with the understanding that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described. In the description below, like reference numerals may be used to describe the same, similar or corresponding parts in the several views of the drawings.

In this document, relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms “comprises,” “comprising,” “includes,” “including,” “has,” “having,” or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. An element preceded by “comprises . . . a” does not, without more constraints, preclude the existence of additional identical elements in the process, method, article, or apparatus that comprises the element.

Reference throughout this document to “one embodiment,” “certain embodiments,” “an embodiment,” “implementation(s),” “aspect(s),” or similar terms means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of such phrases or in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments without limitation.

The term “or” as used herein is to be interpreted as an inclusive or meaning any one or any combination. Therefore, “A, B or C” means “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive. Also, grammatical conjunctions are intended to express any and all disjunctive and conjunctive combinations of conjoined clauses, sentences, words, and the like, unless otherwise stated or clear from the context. Thus, the term “or” should generally be understood to mean “and/or” and so forth.

All documents mentioned herein are hereby incorporated by reference in their entirety. References to items in the singular should be understood to include items in the plural, and vice versa, unless explicitly stated otherwise or clear from the text.

The words “about,” “approximately,” “substantially,” or the like, when accompanying a numerical value, are to be construed as indicating a deviation as would be appreciated by one of ordinary skill in the art to operate satisfactorily for an intended purpose. Ranges of values and/or numeric values are provided herein as examples only, and do not constitute a limitation on the scope of the described embodiments. The use of any and all examples, or exemplary language (“e.g.,” “such as,” or the like) provided herein, is intended merely to better illuminate the embodiments and does not pose a limitation on the scope of the embodiments. No language in the specification should be construed as indicating any unclaimed element as essential to the practice of the embodiments.

For simplicity and clarity of illustration, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. Numerous details are set forth to provide an understanding of the embodiments described herein. The embodiments may be practiced without these details. In other instances, well-known methods, procedures, and components have not been described in detail to avoid obscuring the embodiments described. The description is not to be considered as limited to the scope of the embodiments described herein.

In the following description, it is understood that terms such as “first,” “second,” “top,” “bottom,” “up,” “down,” “above,” “below,” and the like, are words of convenience and are not to be construed as limiting terms. Also, the terms apparatus and device may be used interchangeably in this text.

The various embodiments and examples of the present disclosure as presented herein are understood to be illustrative of the present disclosure and not restrictive thereof and are non-limiting with respect to the scope of the present disclosure.

Further particular and preferred aspects of the present disclosure are set out in the accompanying independent and dependent claims. Features of the dependent claims may be combined with features of the independent claims as appropriate, and in combinations other than those explicitly set out in the claims.

In a computing system, virtual machines are created and managed by a hypervisor or virtual machine monitor. A hypervisor is executed on a host machine and may be implemented in software, firmware, hardware or a combination thereof. The hypervisor may provide each virtual machine (referred to as a guest machine) with a virtual operating system and a virtual memory space and enables multiple computing environments to share the same physical machine.

A virtual machine uses a virtual address space. At some point, addresses in a virtual address space need to be translated into physical memory addresses.

In accordance with embodiments of the disclosure, a host machine uses a range-based address translation system rather than a conventional page-based system. This enables address translation to be performed with improved efficiency, particularly when nest virtual machines are used.

FIGS. 1-9 and the associated descriptions below, describe a data processing system that utilizes range-based address translation. The remainder of the disclosure describes how a range-based system may be utilized to provide fast address translation for virtual machines.

Referring now to the drawings, FIG. 1 schematically illustrates a data processing apparatus.

A number of processor cores 100, 110 are provided. The data processing apparatus may be configured as a network in which the processing cores 100 and 110 are nodes. In the example of FIG. 1, two such processor cores are illustrated, but more processor cores could be provided. Alternatively, the system could comprise just one processor core.

The processor cores are arranged to process data in accordance with virtual memory addresses. For example, each of the processor cores may process data in accordance with virtual memory addresses in a respective virtual memory address space, for example under the control of an operating system or a so-called hypervisor which allocates virtual memory address spaces to the processes being performed by the different processor cores, partly as a technique for avoiding a process associated with one processor core accidently or maliciously accessing data appropriate to a process being executed by another of the processor cores.

A hypervisor may be used to enables independent page-tables for multiple operating systems. The page tables implement virtual memory spaces and virtualize further the physical space so that it can be multiplexed transparently across operating systems.

A memory address translation apparatus is provided to translate between the virtual memory addresses in the virtual memory address space and so-called real addresses.

In the context of the memory address translation techniques to be discussed below, the real addresses are “output” memory addresses in an output address space (a so-called real address space). This could represent a physical address by which a physical memory device or other addressable unit could be physically addressed. Or, the real (output) memory addresses could represent addresses which need a further stage of address translation before being used to access a physical memory device or other addressable unit. From the point of view of the address translation techniques to be discussed, either of these options is equivalent. That is to say, the address translation techniques start with a virtual memory address and produce an output memory address. Whether or not the overall apparatus then performs another stage of address translation on the output memory address is immaterial to the generation of the output memory address itself.

In FIG. 1, address translation is carried out by a so-called range table buffer (RTB) 105, 115. This performs address translation between a virtual memory address in the virtual memory address space and an output memory address in the output (real) address space. Each of the processor cores has a respective range table buffer. The operation of the range table buffer will be described in detail below.

Bypass logic 108, 118 is provided to selectively bypass the RTB 105, 115 when the address translation is such that a virtual memory address is equal to a corresponding output memory address. The bypass circuitry or logic is controlled by a control signal 109, 119 which will be discussed below. When the bypass logic is enabled, either the RTB 105, 115 does not perform any translation, or the translation performed by the RTB 105, 115 is ignored and the virtual memory address is provided, by a bypass route 104, 114, for use as the output memory address.

The memory address translation operations to be discussed below will assume that the bypass logic is not currently enabled (unless otherwise stated).

The processor cores 100, 110 are implemented or fabricated on an integrated circuit substrate in this example, and may both (or all in the case of more than two) be provided on the same integrated circuit substrate. These devices are referred to in FIG. 1 as being “on-chip”.

Also provided on-chip is a cache and/or system cache memory 130 to provide a temporary store for a subset of data held by the memory system to be discussed below, such as a most-recently accessed subset and/or a speculatively fetched subset. As shown in FIG. 1, the two processor cores 100, 110 share a common cache/system cache 130, but in other examples more than one could be provided, and another cache 140 is shown in broken line to illustrate such an arrangement.

The cache/system cache 130 (140) operates according to the output (real) memory addresses generated by the RTB 105, 115.

Off-chip, one or more memory node controllers 160, 170 are provided, which in turn access one or more respective physical devices 180, 190 such as dynamic random-access memories (DRAMs). Given that the physical devices 180, 190 operate in a physical address space, two functions of the memory node controllers 160, 170 can include: (a) translation of output (real) memory addresses to physical memory addresses, if a further stage of translation is needed, and (b) management of which of the physical devices 180, 190 needs to be accessed in order to implement a required memory access operation.

The translation operation (a) mentioned above can be carried out either using the techniques to be discussed below, or by a known memory address translation technique. The management operation (b), to manage which of the physical devices 180, 190 should be accessed, can be carried out using, for example, a table or directory stored at one or more of the memory node controllers 160, 170 to indicate a partitioning of the physical address space between physical devices and, in turn, memory node controllers.

It is not a requirement that more than one memory node controller 160, 170 is provided, but in the example of FIG. 1, two memory node controllers are provided. If one of the memory node controllers (such as a the memory node controller 160) receives a request for a memory access transaction which relates to an address handled by another memory node controller such as the memory node controller 170, the first memory node controller 160 can communicate via a data connection 165 with the other memory node controller 170, passing on the output (real) address relating to that transaction and requesting that the transaction be carried out by the second memory node controller 170.

The data processing apparatus of FIG. 1 may be implemented as a single integrated circuit, for example as a so-called system on a chip (SoC) or a so-called network on a chip (NoC). Alternatively, the data processing apparatus of FIG. 1 may be implemented as multiple discrete devices connected by interconnect circuitry 150. Routing circuitry 152 enable messages and data to be passed between the various elements of the data processing network. The data processing apparatus of FIG. 1 is just one example of how a set of processing elements may be interconnected. In other examples, processing elements are interconnected by a bus, network, memory, RDMA (remote direct memory access, allowing a processing element of one computer to access the memory of another processing element of another computer without the involvement of either device's operating system), or equivalent device. Therefore, interconnect circuitry 150 is simply an example indicative of various types of networking, interconnecting, bus or other circuitry to interconnect processing elements to allow the exchange of data and the switching of task execution in the manner described here.

In example embodiments, the interconnect circuitry may be an example of so-called cache coherent interconnect circuitry. Here, the term “coherent” refers to the maintenance of a correct relationship between multiple copies of the same data stored across the whole system. For example, data may be stored in a cache memory device 130 by one of the data handling nodes (such as the processing core 100). Other nodes (such as processing core 110) may be processing elements having their own respective cache 140 which, depending on the nature of the processing element operations, may store one or more copies of data which is also held in cache memory 130. In the case of a data handling access by one node to such information, there is a need to ensure that the accessing node is accessing the latest version of the stored information, and that if it makes any alteration to the stored information, either the other versions are correctly altered themselves or the other versions are deleted or invalidated. In general terms, caches 130 and 140 together with coherency controller 154 provide coherent memory circuitry storing one or more copies of data accessible by each of the processing elements (for example, each of the processing elements connected via the interconnect circuitry 150), so that data written to a memory address in the coherent memory circuitry by one processing element is consistent with data read from that memory address in the coherent memory circuitry by another of the processing elements.

Coherency controller 154 provides a point of coherency for the data processing apparatus and maintains a record of address tags, coherence state and location of cached data. In an alternative embodiment, each memory node controller may provide a point of coherency for a designated range of real addresses and for the physical devices that are accessed via the memory node controller. The coherency controller may be associated with a lowest level cache (LLC) or system cache.

In examples, the coherent memory circuitry comprises two or more coherent cache memories (130, 140) and the coherent memory circuitry is configured to store one or more (for example, multiple) copies of the data accessible by each of the processing elements. In the example discussed above, where devices are added to or subtracted from the interconnected arrangement, the coherency controller 154 can be arranged to react to the addition of a device by adding it to the so-called coherency domain, and bringing it into coherent operation with other devices in the interconnected arrangement, and to react to the subtraction of a device by reconfiguring the coherent domain to operate in the absence of that device. This reconfiguring may involve first ensuring (before the device is removed) that any data updates at that device are appropriately propagated to other coherent devices and/or the higher-level memory.

The data routing circuitry 152 and/or the coherency controller 154 include various mechanisms and circuitry to provide for coherent operation. An example processing element in the arrangement of FIG. 1 may reference data stored in an associated cache memory, with both the processing element and the cache memory being in communication with the interconnect circuitry. The cache memory may store copies of information held in a higher-level memory. In some instances, the two copies can be the same, for example if a copy has been cached during a memory read operation. In other instances, circumstances could arise which would lead to copies differing from one another, for example if a data write operation has been carried out by a particular processing element (such as the processing element 100) with respect to the copy of a data item stored in the cache 130. In a system of multiple caches, there is a need to ensure that before one version of a data item is accessed, any changes which have been implemented in respect of other versions are fully implemented for all copies. The role of logic associated with the cache coherence function is therefore to ensure that before a data handling transaction takes place, if the version of the data item to be accessed is out of date (because of a modification made to another copy of the same data item), the copy to be accessed is first brought up to date. Similarly, if the data handling transaction involves modifying a data item, then cache coherence logic avoids conflicts with other existing copies of the data item. Techniques for achieving this include (for example) the use of a so-called “snoop filter”.

The term “snoop filter” is a historical one and is used here to refer to a control device forming part of the coherency controller 154 having an associated “directory”, where the directory stores information indicating which data is stored in which cache, and the snoop filter itself at least contributes to the handling of data accesses to cached information to provide a cache coherence function.

The coherency controller 154 including the snoop filter provides an example of a cache coherency controller configured to coordinate, amongst the cache memories, an access to a memory address by one of the cache memories when the directory indicates that another of the cache memories is caching that memory address. The snoop controller stores or provides a directory such as the directory mentioned above indicating, for memory addresses cached by one or more of a group of one or more cache memories connectable in a coherent cache structure, which of the cache memories are caching those memory addresses.

An external device, such as external data movement engine 192, may utilize coherency controller 154 to modify the coherence state of data stored in caches of the data processing apparatus.

The range table buffers (RTBs) 105, 115 operate by storing one or more instances of translation data. FIG. 2a schematically illustrates such an instance of translation data.

Referring to FIG. 2a , an instance (or indeed each instance) of translation data. In this example, the instance is formed as a 224-bit word comprising 22 reserved bits 200, 10 bits of administrative data discussed below) 205, 64 bits of address offset data 210, 64 bits of “base virtual address” data 220 and 64 bits of range data 230. Other formats may be used for RTB entries without departing from the present disclosure.

The data 220, 230 together define a range of virtual memory addresses between respective virtual memory address boundaries in the virtual memory address space. In the example of FIG. 2a , the range of virtual memory addresses is between the base virtual address (VA) represented by Base VA up to and including the address represented by Base VA+Range. Here, it will be appreciated that it is not necessarily the case that the lowest address in the range has to be defined by the field Base VA. More generally, a range of virtual addresses can be defined by one reference value at a predetermined position relative to the range of virtual addresses, so that in other examples the field 220 could be occupied by (for example) “highest VA” such that the range of virtual memory addresses is defined by “highest VA−Range” up to “highest VA”. In other examples, the field 220 could be occupied by (for example) “central VA” such that the range of virtual memory addresses extends between “central VA−Range” up to “central VA+Range”. Again, “central VA” would be an example of a virtual memory address at a predetermined position relative to the range of virtual memory addresses. However, the present examples will assume that the field 220 is occupied by the Base VA and that the respective virtual memory address boundaries of the range of virtual memory addresses are in this example Base VA and Base VA+Range.

The offset field 210 contains an address offset between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space, which is applied as a linear sum to a virtual memory address in the range defined by the boundaries discussed above to generate the respective output memory address. The offset can be positive, negative or indeed zero. So, for an arbitrary virtual memory address VA_test which falls within the range defined by base VA and base VA+Range, the translated (output) memory address in the output memory address space can be expressed as: VA_test+offset.

In this example, the offset represents a simple difference between any virtual memory address in the virtual memory address range and a corresponding output memory address.

Another example is shown schematically in FIG. 2b , in which the fields 200, 205, 220, 230 can be identical to those shown in FIG. 2a , but in place of the offset fields 210, a field referred to as base output 240 is provided which indicates the output memory address corresponding to (in this example) the address base VA in the virtual memory address space. More generally, the field 240 can indicate a reference memory address in the output address space corresponding to a virtual memory address at a predetermined position (such as the predetermined positions in the examples discussed above) relative to the range of virtual memory addresses so that the translation circuitry to be discussed below is configured to translate a given virtual memory address in the range of virtual memory addresses by adding to or subtracting from the reference address in the output address space and are now dependent upon a difference, in the virtual memory address space, between the given virtual memory address and the virtual memory address at a predetermined position relative to the range of virtual memory addresses. This gives a translation function as: (VA_test-predetermined VA)+reference.

The type of translations defined by the translation data of FIG. 2b provide a potentially variable size of range covered by a single instance of translation data, and can provide multiple translations mapping different virtual memory addresses to the same output memory address, if that is required.

FIG. 3 schematically illustrates the storage of multiple instances of the translation data of FIG. 2a or 2 b, for example in the cache 130 (140) or in the memory system off-chip, for example in one of the physical devices 180, 190.

A storage location which defines the storage of a set of instances of translation data is provided by a variable RT address 300. The derivation of the variable RT address will be discussed further below. The memory address represented by RT address can be, for example, a real (output) address, a physical memory address or another memory address. In the present example, the variable RT address represents a physical memory address of the set of instances of translation data in physical memory.

As indicated schematically by the broken arrows of FIG. 3, the variable RT address 300 can provide location information for each of the (or more than one of the) instances. Or the locations can be inferred from the size of each instance (for example 224 bits) and the location of a reference one of the instances.

The instances of translation data can be pre-stored in the memory by, for example, the operating system and/or hypervisor and can be ordered, for example, in order of their applicability to the virtual memory address space. By way of example, the virtual memory address space is illustrated as a rectangle 310 to the righthand side of FIG. 3 and the ranges of virtual memory addresses represented by an upper two (as drawn) instances of translation data are shown schematically as ranges 312, 314 in FIG. 3. Further data 320 can be stored, either by the RTB (in the store 460 discussed below) or alongside the instances of translation data in the memory, indicating attributes such as a most frequently and/or most recently used instance of translation data, and/or the frequency of use of each instance of translation data, and/or how recently each instance of translation data has been accessed, or the like.

FIG. 4 schematically illustrates memory address translation apparatus such as the RTB 105, 115 of FIG. 1, as an example of translation circuitry which can apply a translation defined by a detected instance of the translation data to a given virtual memory address.

The apparatus comprises an input 400 to receive a virtual memory address, an output 410 to output an output (translated) memory address, a translation data store 420 to store one or more instances of translation data as discussed above, access circuitry 430, a translator/permission detector 440, a detector/fetch logic 450, a store 460 to store fetch criteria, and a store 470 to store the RT address variable.

In operation, as discussed above, the translation data store 420 stores one or more instances of translation data such as the translation data shown in FIGS. 2a and 2b providing address range boundary values (such as base VA and range) defining a range of virtual memory addresses between respective virtual memory address boundaries in the virtual memory address space, and indicating a translation (such as the offset or base output fields) between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in the output memory address space.

In response to a virtual address received on the input 400, the access circuitry 430 accesses translation data held in the translation data store 420. For example, a single instance of translation data may be held at any one time in the translation data store 420. The detector/fetch logic 450 acts as detector circuitry to detect whether the virtual memory address to be translated lies within the range of virtual memory addresses defined by an (or the) instance of the translation data in the translation data store 420. If so, then the detector/fetch logic provides the data indicating the translation (such as the offset or base output fields to the translator/permission detector 440) along with the administrative data in the field 205. The translator/permission detector circuitry 440 applies the translation defined by a (or the) detected instance of the translation data to the input (given) virtual memory address to determine the translated (output) memory address. This is provided on the output 410 to the cache/system cache 130 and, if necessary, to one or more of the memory node controllers 160, 170.

If the detector/fetch logic 450 detects that the virtual memory address to be translated does not lie in the range of virtual memory addresses defined by an (or the) instance of the translation data in the translation data store 420, then the detector/fetch logic initiates the fetching of another instance (or one or more further instances) of translation data. To do this, the detector/fetch logic 450 can use fetch criteria stored in the fetch criteria store 460.

Examples of fetch criteria have been discussed above, and may include, for example, the most recently used instance of translation data (which is not an instance currently held by the translation data store), the instance of translation data which is most frequently used and which is not currently held in the translation data store, or the like. The detector/fetch logic 450 initiates the fetching of the translation data using the RT address variable stored in the store 470. The fetched instance of translation data is then stored in the translation data store, evicting the currently stored instance (if just one is held) or a least recently and/or least frequently used instance (of those held in the translation data store 420) if more than one instance is held there. Therefore, the detector/fetch logic 450 is configured when the given virtual memory address to be translated lies outside the ranges of virtual memory addresses defined by any instances of the translation data stored by the translation data store to retrieve one (or indeed more) further instances of the translation data. To do this, the detector/fetch logic 450 may access one or more memory locations (for example defined or referenced by the variable RT address) storing further instances of the translation data. In this way, the variable RT address may act as a location parameter and the detector/fetch logic 450 is configured to retrieve one or more further instances of the translation data from memory locations defined by one or more such location parameters indicating addresses in the output memory space (or indeed in the physical memory space if that is different).

As discussed above, the fetch criteria 460 may be such that the detector/fetch logic 450 is configured to retrieve the one or more further instances of the translation data in an order of usage of the instances of translation data. For example, the order of usage may be an order of most frequent usage, although it could be an order of most recent usage.

Another function of the translator/permission detector 440 is to detect the administrative data 205 of the instance of translation data used in respect of the current translation, and which indicates access permissions associated with the range of virtual memory addresses of that instance of translation data. This permission data can either by passed on to the cache/system cache 130 as permission data associated with the current memory access, or can be used to control or gate current attempted memory accesses such that if they breach the permission data they are not forwarded to the cache/system cache 130 by the translator/permission detector.

Therefore, the arrangement of FIG. 1 can provide one or more processors to process data in accordance with virtual memory addresses, and address translation apparatus such as that shown in FIG. 4 to translate a virtual memory address relating to a processing operation of the one or more processors into an output memory address to access a memory system responsive to the output memory address. The cache/system cache 130 may provide an example of a cache memory disposed between the address translation apparatus and the memory system, the cache memory being addressable in the output memory address space.

The memory node controllers 160, 170 and physical devices 180, 190 can provide a memory system responsive to memory addresses in the output memory address space.

If two or more processor cores 100, 110 are used, each processor can have a respective address translation apparatus 105, 115 to translate a virtual memory address relating to a processing operation of that processor 100, 110 into an output memory address to access the memory system 160, 170, 180, 190. As mentioned above, each processor 100, 110 may operate to process data in accordance with virtual memory addresses in a respective virtual memory address space. However, the real (output) memory address space can be common as between the processors 100, 110, such that the memory system 160, 170, 180, 190 is configured to operate according to the output memory address space common to interact with the address translation apparatus 105, 115 of each of the processors.

FIG. 5 is a schematic example of an initialization process. The variable RT address can simply be established for the whole of run time at start up or boot of the system. Similarly, the controllers 109, 119 to indicate to the apparatus whether the bypass function should be enabled can also be established for the whole of run time at boot or start up. However, in other examples, these items are established at a so-called context switch.

By way of background, in arrangements of one or more interconnected processors, a program task such as a thread can be executed by the one or more processors in successive portions, possibly interspersed with portions of execution of other program tasks. Execution can be passed from one processor to another in a multi-processor or multi-core system. To enable this, a process referred to as context switching may take place.

In a context switch, each processor is configured to save context data relating to or applicable to a program task following execution of that program task by that processing element, and to load context data, previously saved by that processor element or another of the processors, at resumption of execution of a program task.

The context data can indicate a current processing state of the processor at the time that execution of the particular program task was paused or handed over. However, it can also provide some parameters established, for example, by the operating system and/or hypervisor which are common to each occasion on which that program task is executed. In the present example, the context data can indicate whether the bypass function should be enabled and the location within the memory of the instances of translation data applicable to execution of that program task. So, on loading the context data, the bypass function is enabled or disabled and, assuming the bypass function is disabled, the location within memory of the appropriate address translation data to be used by the RTB 105, 115 is identified. FIG. 5 schematically illustrates this initialization process as a schematic flowchart starting with, at a step 500, a change of context corresponding to a task swap as discussed above. This leads to the relevant processor loading a new context at a step 510.

With reference to the parameters defined by the newly loaded context, the processor core detects whether the bypass operation should be used for this portion of execution of the program task at a step 520. If the answer is yes, then the bypass logic 108, 118 is enabled by the control signal 109, 119 at a step 530. If the answer is no, then control passes to a step 540 at which the variable RT address is detected (for example, from the context data applicable to the current task) and is stored in the store 470 of FIG. 4. Using the variable RT address, at least one table entry (for example, an instance of translation data) is retrieved and stored in the translation data store 420 at a step 550

FIGS. 6 and 7 are schematic flowcharts illustrating methods of memory access. In particular, FIG. 6 schematically represents a load operation and FIG. 7 schematically represents a stall operation. In each case, reference is made to an instance 600, 700 of translation data held by the translation data store 420.

Referring first to FIG. 6, a load address 605 is generated by one of the processor cores 100, 110 indicating the virtual address from which one or more data items should be loaded. At a step 610, the access circuitry 430 looks up the one or more instances of translation data held by the translation data store 420. A detection is then made by the detector/fetch logic 450 at a step 615 as to whether the given virtual address (representing the load address) exists within the range or ranges defined by the translation data held in the translation data store 420. If the answer is no, then further action 620 to be discussed below is carried out. If, however, the answer is yes, then control passes to a step 625 at which the translator/permission detector 440 accesses the administrative data field 205 within the translation data to detect whether the current operation is permitted according to the permission data associated with the range of virtual addresses defined by that instance of translation data. If the answer is no, then control passes to the step 620 at which further action (in this case the raising of a fault condition) is carried out. If, however, the answer is yes, then the translator/permission detector 440 calculates the output address at a step 630 using the offset field 210 of the instance of translation data held in the translation data store 420.

The output memory address is passed to the cache/system cache 130 and at a step 635 a detection is made as to whether data corresponding to that output address is currently held in the cache/system cache 130. If the answer is yes, then at a step 640 the required data item is returned to the processor core which initiated the transaction. If the answer is no, then at a step 645 the memory access is referred to the memory system 160, 170, 180, 190 for processing.

A similar arrangement is shown schematically in FIG. 7 which illustrates a data storage operation.

Here, as mentioned above, reference is made to an instance 700 of translation data currently held by the translation data store 420.

At a step 705, the virtual address representing a required storage address is established by the relevant processor core.

At a step 710, the access circuitry 430 accesses the translation data store to detect whether the store address established at the step 705 lies within the range defined by the one or more stored instances of translation data. If, at a step 715, the store address does not lie within the range or ranges, then control passes to a step 720 at which further action to be discussed below is taken.

If, however, the answer is yes, then control passes to a step 725 at which the translator/permission detector 440 detects from the administrative data field 205 whether the current operation is permitted. If the answer is no, control passes to the step 720 at which further action (a fault condition in this example) is carried out. If, however, the answer is yes, at the step 725 then control passes to a step 730 which calculates the output address for storage of the current data based upon the given virtual address representing the store address (735) and the offset field 210 to generate the output address 740 for use in the storage operation.

FIG. 8 is a schematic flowchart illustrating a memory address translation method, and in particular, addresses the negative outcome of the steps 615, 715 of FIGS. 6 and 7, when it is detected that a currently required virtual address does not lie within the range or ranges defined by the one or more instances of translation data held by the translation data store.

Referring to FIG. 8, at a step 800, if there is a “hit”, which is to say the current virtual memory address to be translated does lie within one of the ranges defined by the one or more instances of translation data held by the translation data store 420, then control passes to a step 810 which summarizes the translation process discussed above, and the current (given) virtual address is translated into a corresponding output memory address.

However, if the outcome is no from the step 800, corresponding to the negative outcome of the steps 615, 715, then control passes to a step 820 at which the RT address (RT base address) which forms part of the context format and may optionally be buffered or stored by the RTB 105, 115 in the store 470, is accessed.

At a step 830, if the RTB 105, 115 detects that instances of translation data are indeed available to be accessed (they are not all currently held by the translation data store 420) then control passes to a step 840. If there are no more instances available to be retrieved, then control passes to a step 850 at which a fault condition is established.

At the step 840, a next instance is retrieved by the detector/fetch logic 450. These may optionally be accessed in a sorted order (they may be sorted in order of usage, for example by frequency of usage) so that a next most used instance is accessed. Optionally, at a step 860, one or more other instances can be speculatively loaded as well.

The test of the step 800 is effectively repeated at a step 870. If the given virtual address for translation is within the range or ranges defined by the newly loaded instance, then control can pass to the step 810 for the translation to be performed. If not, control returns to the step 830 so that one or more other instances (if available) are loaded again with the step 840, or a fault condition is established at the step 850 if no more instances are available.

FIG. 9 is a schematic flowchart illustrating a memory address translation method comprising: (i) storing (at a step 900) one or more instances of translation data providing address range boundary values defining a range of virtual memory addresses between respective virtual memory address boundaries in a virtual memory address space, and indicating a translation between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space; (ii) detecting (at a step 910) whether a given virtual memory address to be translated lies in the range of virtual memory addresses defined by an instance of the translation data in the translation data store; (iii) when the given virtual memory address to be translated lies outside the ranges of virtual memory addresses defined by any instances of the translation data stored by the translation data store, retrieving (at a step 920) one or more further instances of the translation data; and (iv) applying (at a step 930) the translation defined by a detected instance of the translation data to the given virtual memory address.

FIG. 10 is a diagrammatic representation of memory allocation in a data processing system. A mapping between virtual address ranges and a real or output address range is recorded in range translation buffer 1002. As described above, each entry in range translation buffer 1002 provides an instance of translation data and includes, for example, an offset address (OFFSET), a base virtual address (BASE_VA) and a virtual address range (RANGE). In addition, the entries are indexed by an identifier (ID). The identifier (ID) may be a context identifier, unique to each context, or an address space identifier unique to each virtual address space. The identifier indicates which entries of the range translation buffer 1002 are associated with a particular context. One or more contexts may be associated with each address space and one or more address spaces may be associated with each context. However, the identifier enables a given context to specify which entry or entries of the range table are to be accessed in order to perform an address translation.

At a given time, multiple hypervisors may be in operation where each hypervisor is a context (such as a process with a unique address space) that allocates a range of memory for itself. In the example shown, hypervisor 1004 is allocated the real memory range 0x40100 (hexadecimal 40100) to 0x50100. The hypervisor also allocates itself a virtual address range 0x100 to 0x10000 and an identifier 0x01. To convert a given virtual address supplied from a context with a given ID, entries in the range table with a matching ID are found and, for those entries, a check is made to determine if the given virtual address is with the virtual address range. If it is within the range, the offset 0x40000 is added. So, for example, the virtual address 0x200 from a context with ID 0x04 lies in the range 0x20-0x1000 of the entry with ID 0x20 is translated to an output or real address 0x42200 by adding the offset 0x42000 from the entry with ID 0x04.

Each virtual machine managed by a hypervisor will have its own range of memory allocated by the hypervisor to be managed by the guest operating system. In the example shown, guest virtual machine VM 1 is allocated the real address range 0x41210 to 0x45BA0 denoted as address range 1006. The virtual machine VM 1 has a virtual address range 0x1200 to 0x4990. The corresponding offset is 0x40010. Virtual machine VM 2 is allocated a real address range 1008 that does not overlap the range 1006 of VM 1.

As these virtual machines are contexts that operate within the address range of the hypervisor context, their user addresses and maximum ranges will be contained within the range of the hypervisor context. More specifically, this means that the guest operating systems are configured to observe a standard memory range from zero through to maximum physical memory, and then create an overlay virtual memory system on top. From the hypervisor point of view, the range that the guest operating system is within is just another allocated range.

Upon allocation of memory to one of these guest virtual machines, using just pointer arithmetic (offset calculation from base), the virtual machine contexts get ranges that then get translated to real addresses in the exact same way as any other range.

An application such as APP 1, executed in the virtual machine VM 1, executes within range 1010 of real addresses of VM 1. In this example, application APP 1 uses the real address range 0x41350 to 0x43350. The corresponding virtual address range for APP 1 is 0x350 to 0x2350 with an offset of 0x41000. A further application such as APP 2, executed in the virtual machine VM 1, also executes within the range of real addresses of VM 1. In this example, application APP 2 uses the real address range 0x44005 to 0x44105, denoted as address 1012. The corresponding virtual address range for APP 2 is 0x5 to 0x100 with an offset of 0x44000.

An application such as NESTED APP 1, is executed within the context of APP 1 and executes within range 1010 of real addresses of APP 1. In this example, application NESTED APP 1 uses the real address range 0x42020 to 0x43020, denoted as address range 1014. The corresponding virtual address range for NESTED APP 1 is 0x20 to 0x1000 with an offset of 0x42000.

In order to translate from a virtual address to a real or output address, a single offset calculation is used for any level of nesting. While allocation of ranges for a nested context may be slightly slower (O(1) cycles) than for the parent or host hypervisor context, translation from a virtual address to a real address is always a one-level translation. This process can be repeated for N-levels of nested translation, so for any number of levels, the translation is a single table lookup and offset addition.

This process enables an arbitrary level nested context to translate its virtual addresses into real addresses, as if it was running natively.

A further benefit of range-based memory translation is that a hypervisor can limit control of a guest (say, for example, for write operations) due to malicious activity, the hypervisor can instruct the memory node controller responsible for the corresponding physical memory to block all read and/or write access to ranges within the victim guest's real address range. This is possible, as the guest virtual machine is allocated a range nested within the hypervisor's range, and the hypervisor has control over its own real address space.

An example is shown in FIG. 11. In this example, the application APP 2 is to be blocked. The hypervisor has allocated address range 1012 to APP 2 and instructs the memory node controller to block this range of address. The memory node controller 1102 normally translates real address range 1012 to physical address range 1104 in physical address space 1106 of resources managed by the memory node controller. Following receipt of the instruction, the memory node controller 1102 blocks access to real addresses in the range 1012, thereby preventing the physical memory 1106 from being corrupted.

In an alternative embodiment, a nesting strategy is used, where an inner layer of a virtual machine traps to the next outer layer. While this strategy may have some implementations benefits (such as a simpler micro-architectural implementation, for example), translation from virtual address to a real address requires N offsets to be calculated for N nested layers. However, this strategy still reduces the number of translation steps compare to a conventional page-based address translation approach which requires approximately (24×N) memory accesses for every address translation.

FIG. 12 is a flow chart 1200 of a method of memory access, in accordance with embodiments of the disclosure. Following start block 1202, a request to access memory at a particular virtual address (VA_ADDR) is received from a processing core at block 1204. The request also provides an identifier (ID) of the virtual address space in which the virtual address lies. This identifier may be an identifier of the context from which the request was made, or an address space identifier (ASID). Each entry in the RTB is an instance of address translation data. Entries in the RTB may be indexed by the identifier. At block 1206, the virtual address range is retrieved from an entry with a matching identifier and, at decision block 1208, a check is performed to determine if the virtual address (VA_ADDR) lies with the range. If not, as depicted by the negative branch from decision block 1208, a check is made at decision block 1210 to determine if there are any more entries in the RTB with a matching identifier (ID). If this was the last matching entry, as depicted by the positive branch from decision block 1210, an error is declared at block 1212 and the method terminates. If another entry exists, as depicted by the negative branch from decision block 1210, flow returns to block 1206 and the next entry is retrieved. When the virtual address is found in an entry of the RTB, as depicted by the positive branch from decision block 1208, the offset (OFFSET) in the entry is added to the virtual address at block 1214 to determine the output address: OUTPUT_ADDR=OFFSET+VA_ADDR. Caches are indexed by address tags corresponding to output addresses. If the calculated output address is found in a local cache (referred to as a ‘hit’), as depicted by the positive branch from decision block 1216, the cache is accessed at block 1218 and the process terminates at block 1220. If the calculated output address is not found in a local cache (referred to as a ‘miss’), as depicted by the negative branch from decision block 1216, a request for access is sent the appropriate memory node controller at block 1222.

The method illustrated in FIG. 12 is applicable for any level of context nesting. Once the matching entry is found in the RTB, only a single offset calculation is required to determine the output address.

The integrated circuits disclosed above may be defined by a set of instructions of a Hardware Description Language (HDL). The instructions may be stored in a non-transient computer readable medium. The instructions may be distributed via the computer readable medium or via other means such as a wired or wireless network. The instructions may be used to control manufacture or design of the integrated circuit, and may be combined with other instructions.

Although illustrative embodiments of the invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications can be affected therein by one skilled in the art without departing from the scope and spirit of the invention as defined by the appended claims.

It will be appreciated that the devices, systems, and methods described above are set forth by way of example and not of limitation. Absent an explicit indication to the contrary, the disclosed steps may be modified, supplemented, omitted, and/or re-ordered without departing from the scope of this disclosure. Numerous variations, additions, omissions, and other modifications will be apparent to one of ordinary skill in the art. In addition, the order or presentation of method steps in the description and drawings above is not intended to require this order of performing the recited steps unless a particular order is expressly required or otherwise clear from the context.

The method steps of the implementations described herein are intended to include any suitable method of causing such method steps to be performed, consistent with the patentability of the following claims, unless a different meaning is expressly provided or otherwise clear from the context. For example, performing X includes any suitable method for causing another party such as a remote user, a remote processing resource (e.g., a server or cloud computer) or a machine to perform X. Similarly, performing elements X, Y, and Z may include any method of directing or controlling any combination of such other individuals or resources to perform element X, Y, and Z to obtain the benefit of such steps. Thus, method steps of the implementations described herein are intended to include any suitable method consistent with the patentability of the following claims, unless a different meaning is expressly provided or otherwise clear from the context.

It should further be appreciated that the methods above are provided by way of example. Absent an explicit indication to the contrary, the disclosed steps may be modified, supplemented, omitted, and/or re-ordered without departing from the scope of this disclosure.

It will be appreciated that the methods and systems described above are set forth by way of example and not of limitation. Numerous variations, additions, omissions, and other modifications will be apparent to one of ordinary skill in the art. In addition, the order or presentation of method steps in the description and drawings above is not intended to require this order of performing the recited steps unless a particular order is expressly required or otherwise clear from the context. Thus, while particular embodiments have been shown and described, it will be apparent to those skilled in the art that various changes and modifications in form and details may be made therein without departing from the scope of this disclosure and are intended to form a part of the disclosure as defined by the following claims, which are to be interpreted in the broadest sense allowable by law.

The various representative embodiments, which have been described in detail herein, have been presented by way of example and not by way of limitation. It will be understood by those skilled in the art that various changes may be made in the form and details of the described embodiments resulting in equivalent embodiments that remain within the scope of the appended claims.

Accordingly, some features of the disclosed embodiments are set out in the following numbered items:

1. A memory address translation apparatus comprising: a translation data store to store one or more instances of translation data indicative of: address range boundary values defining a range of virtual memory addresses between respective virtual memory address boundaries in a virtual memory address space of a nested context, an identifier of the virtual address space, and a translation between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space; detector circuitry to detect an instance of the translation data in the translation data store for which the provided virtual address space identifier of the instance matches a given identifier of a virtual address space and for which a given virtual memory address to be translated lies in the range of virtual memory addresses defined by the instance; and first translation circuitry to apply the translation, defined by a detected instance of the translation data, to the given virtual memory address to provide an output memory address in the output address space.

2. The memory address translation apparatus of item 1, where the nested context utilizes a single virtual address space and where the identifier of the virtual address space comprises an address space identifier (ASID) of the single virtual address space.

3. The memory address translation apparatus of item 1, where the identifier of the virtual address space comprises a context identifier of the nested context.

4. The memory address translation apparatus of item 1, further comprising a second translation circuitry to translate the output memory address in the output memory space to a physical address in a physical device.

5. The memory address translation apparatus of item 1, further comprising a memory node controller associated with a physical device, the memory node controller comprising a second translation circuitry to translate the output memory address in the output memory space to a physical address in the physical device, where the memory node controller is configured to access the physical device using the physical address.

6. The memory address translation apparatus of item 1, in which the translation data indicates an address offset between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space.

7. The memory address translation apparatus of item 1, in which the translation data indicates a reference memory address in the output address space corresponding to a virtual memory address at a predetermined position relative to the range of virtual memory addresses, so that the first translation circuitry is configured to translate the given virtual memory address in the range of virtual memory addresses by adding to or subtracting from the reference memory address in the output address space an amount dependent upon a difference, in the virtual memory address space, between the given virtual memory address and the virtual memory address at the predetermined position relative to the range of virtual memory addresses.

8. The memory address translation apparatus of item 1, in which each instance of translation data further comprises administrative data indicating access permissions associated with the range of virtual memory addresses of that instance of translation data.

9. A data processing apparatus comprising: a processor to process data in accordance with virtual memory addresses; an address translation apparatus according to claim 1, to translate a virtual memory address relating to a processing operation of the processor into an output memory address to access a memory system responsive to the output memory address.

10. The data processing apparatus of item 9, further a comprising a cache memory disposed between the address translation apparatus and the memory system, the cache memory being addressable in the output memory address space.

11. The data processing apparatus of item 9, in which the nested context is a nested context of a current task being executed by the processor.

12. A memory address translation method comprising: storing one or more instances of translation data providing address range boundary values defining a range of virtual memory addresses between respective virtual memory address boundaries in a virtual memory address space of a nested context, indicating an identifier of the virtual address space of the nested context, and indicating a translation between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space; detecting when an instance of the translation data in the translation data store for which the provided virtual address space identifier of the instance matches a given identifier of a virtual address space and for which a given virtual memory address to be translated lies in the range of virtual memory addresses defined by the instance; and applying the translation defined by a detected instance of the translation data to the given virtual memory address to provide an output memory address in the output address space.

13. The method of item 12, where the nested context utilizes a single virtual address space and where the identifier of the virtual address space comprises an address space identifier (ASID) of the single virtual address space.

14. The method of item 12, where the identifier of the virtual address space comprises a context identifier of the nested context.

15. The method of item 12, further comprising: translating the output memory address in the output memory space to a physical address in a physical device; and accessing the physical device using the physical address.

16. The method of item 12, further comprising: blocking an output address range; when the output memory address is not in the blocked output address range: translating the output memory address in the output memory space to a physical address in a physical device; and accessing the physical device using the physical address; where the physical device is not accessed when the output memory address is in the blocked output address range.

17. The method of item 12, where the translation data indicates an address offset between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space, and where applying the translation defined by a detected instance of the translation data to the given virtual memory address comprises adding the address offset to the given virtual memory address.

18. The method of item 12, where the translation data indicates a reference memory address in the output address space corresponding to a virtual memory address at a predetermined position relative to the range of virtual memory addresses, where translating the given virtual memory address comprises: adding to or subtracting from the reference memory address in the output address space an amount dependent upon a difference, in the virtual memory address space, between the given virtual memory address and the virtual memory address at the predetermined position relative to the range of virtual memory addresses.

19. The method of item 12, further comprising: allocating an output address range to a virtual machine; allocating a first range of virtual addresses to a first application in the virtual machine, the first application having a first context; storing translation data indicative of: the first range of virtual memory addresses, an identifier of the first context, and a translation between a virtual memory address in the first range of virtual memory addresses and a corresponding output memory address in the output address range; allocating a second range of virtual addresses a second application in the virtual machine, the second application having a second context nested within the first context; and storing translation data indicative of: the second range of virtual memory addresses, an identifier of the second context, and a translation between a virtual memory address in the second range of virtual memory addresses and a corresponding output memory address in the output address range. 

What is claimed is:
 1. A memory address translation apparatus comprising: a translation data store to store one or more instances of translation data indicative of: address range boundary values defining a range of virtual memory addresses between respective virtual memory address boundaries in a virtual memory address space of a nested context, an identifier of the virtual address space, where the nested context utilizes a single virtual address space and where the identifier of the virtual address space comprises an address space identifier (ASID) of the single virtual address space, and a translation between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space; detector circuitry to detect an instance of the translation data in the translation data store for which the provided virtual address space identifier of the instance matches a given identifier of a virtual address space and for which a given virtual memory address to be translated lies in the range of virtual memory addresses defined by the instance; and first translation circuitry to apply the translation, defined by a detected instance of the translation data, to the given virtual memory address to provide an output memory address in the output address space.
 2. The memory address translation apparatus of claim 1, where the identifier of the virtual address space comprises a context identifier of the nested context.
 3. The memory address translation apparatus of claim 1, further comprising a second translation circuitry to translate the output memory address in the output memory space to a physical address in a physical device.
 4. The memory address translation apparatus of claim 1, further comprising a memory node controller associated with a physical device, the memory node controller comprising a second translation circuitry to translate the output memory address in the output memory space to a physical address in the physical device, where the memory node controller is configured to access the physical device using the physical address.
 5. The memory address translation apparatus of claim 1, in which the translation data indicates an address offset between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space.
 6. The memory address translation apparatus of claim 1, in which the translation data indicates a reference memory address in the output address space corresponding to a virtual memory address at a predetermined position relative to the range of virtual memory addresses, so that the first translation circuitry is configured to translate the given virtual memory address in the range of virtual memory addresses by adding to or subtracting from the reference memory address in the output address space an amount dependent upon a difference, in the virtual memory address space, between the given virtual memory address and the virtual memory address at the predetermined position relative to the range of virtual memory addresses.
 7. The memory address translation apparatus of claim 1, in which each instance of translation data further comprises administrative data indicating access permissions associated with the range of virtual memory addresses of that instance of translation data.
 8. A data processing apparatus comprising: a processor to process data in accordance with virtual memory addresses; an address translation apparatus according to claim 1, to translate a virtual memory address relating to a processing operation of the processor into an output memory address to access a memory system responsive to the output memory address.
 9. The data processing apparatus of claim 8, further a comprising a cache memory disposed between the address translation apparatus and the memory system, the cache memory being addressable in the output memory address space.
 10. The data processing apparatus of claim 8, in which the nested context is a nested context of a current task being executed by the processor.
 11. A memory address translation method comprising: storing one or more instances of translation data providing address range boundary values defining a range of virtual memory addresses between respective virtual memory address boundaries in a virtual memory address space of a nested context, indicating an identifier of the virtual address space of the nested context, where the nested context utilizes a single virtual address space and where the identifier of the virtual address space comprises an address space identifier (ASID) of the single virtual address space and indicating a translation between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space; detecting when an instance of the translation data in the translation data store for which the provided virtual address space identifier of the instance matches a given identifier of a virtual address space and for which a given virtual memory address to be translated lies in the range of virtual memory addresses defined by the instance; and applying the translation defined by a detected instance of the translation data to the given virtual memory address to provide an output memory address in the output address space.
 12. The method of claim 11, where the identifier of the virtual address space comprises a context identifier of the nested context.
 13. The method of claim 11, further comprising: translating the output memory address in the output memory space to a physical address in a physical device; and accessing the physical device using the physical address.
 14. The method of claim 11, further comprising: blocking an output address range; when the output memory address is not in the blocked output address range: translating the output memory address in the output memory space to a physical address in a physical device; and accessing the physical device using the physical address; where the physical device is not accessed when the output memory address is in the blocked output address range.
 15. The method of claim 11, where the translation data indicates an address offset between a virtual memory address in the range of virtual memory addresses and a corresponding output memory address in an output address space, and where applying the translation defined by a detected instance of the translation data to the given virtual memory address comprises adding the address offset to the given virtual memory address.
 16. The method of claim 11, where the translation data indicates a reference memory address in the output address space corresponding to a virtual memory address at a predetermined position relative to the range of virtual memory addresses, where translating the given virtual memory address comprises: adding to or subtracting from the reference memory address in the output address space an amount dependent upon a difference, in the virtual memory address space, between the given virtual memory address and the virtual memory address at the predetermined position relative to the range of virtual memory addresses.
 17. The method of claim 11, further comprising: allocating an output address range to a virtual machine; allocating a first range of virtual addresses to a first application in the virtual machine, the first application having a first context; storing translation data indicative of: the first range of virtual memory addresses, an identifier of the first context, and a translation between a virtual memory address in the first range of virtual memory addresses and a corresponding output memory address in the output address range; allocating a second range of virtual addresses a second application in the virtual machine, the second application having a second context nested within the first context; and storing translation data indicative of: the second range of virtual memory addresses, an identifier of the second context, and a translation between a virtual memory address in the second range of virtual memory addresses and a corresponding output memory address in the output address range. 